No way to target specific vhost on shared server

[yanickgirouard]

The script does not allow for specifying a different target server and vhost like you would do with cURL using the Host header. The openssl s_client command does have the -servername switch which make it possible, but the script uses the same server name for both the s_client host and the -servername value, so it's not useful for this use case.

It would be useful if we would be able to call the script like so:

ssl-cert-check -s hosting_server_name -H actual_virtual_host_address -x 30

Example, say my hosting server is named webhost1.mydomain, and the site I want to check is mysite.mydomain, I would do this:

ssl-cert-check -s webhost1.mydomain -H mysite.mydomain -x 30

The command would then check the SSL cert returned for that specific site only.

When the address mysite.mydomain points to only a single server, that's not an issue, but if it's a virtual IP pointing to a load balancer or proxy which may be serving its own SSL certificate, this is a problem if you want to check the backend servers directly.

Thanks!

[Matty9191]

Let me take a look to see what we can do here. Thanks for the issue.

[inkblot]

I believe this was fixed in version 3.29 by commit 8f9b3d2b.

[bolle732]

Can someone shed light how the linked commit above would allow to specify the host to connect alongside to specify the FQDN to check the certificate ?

I need this option too, as we have an internal and an external server with the same FQDN and certificate. But the two hosts can be accessed by their own hostname.